Tcpip Vista
Transcript of Tcpip Vista
-
8/14/2019 Tcpip Vista
1/55
Contents
Windows Vista TCP/IP Networking and IPv6 Migration.Cover ........................................... 3Windows Vista TCP/IP Networking and IPv6 Migration .................................................. 3
Windows Vista TCP/IP Networking and IPv6 Migration.Copy ............................................ 3Windows Vista TCP/IP Networking and IPv6 Migration ...................................................... 4
New TCP/IP architecture in Windows Vista..................................................................... 5IPv6 enabled by default ................................................................................................ 5
IPv6 configuration ............................................................................................................ 6Automatic configuration ................................................................................................ 6Manual configuration .................................................................................................... 6
The properties of the Internet Protocol version 6 (TCP/IPv6) component ................ 7Commands in the Netsh interface ipv6 context ........................................................ 7
Turning off IPv6 ............................................................................................................ 7Disabling IPv6 per connection .................................................................................. 8Disabling IPv6 components ...................................................................................... 8
Configuring IPv6 by using the properties of Internet Protocol version 6 (TCP/IPv6) . 10General tab ................................................................................................................. 11Advanced TCP/IP Settings ......................................................................................... 12
IP Settings tab ......................................................................................................... 12DNS tab................................................................................................................... 13
Configuring IPv6 manually with Netsh.exe................................................................. 15Configuring IPv6 addresses .................................................................................... 16Adding default gateways ......................................................................................... 17Adding DNS servers ............................................................................................... 18
Deploying Windows Vista with IPv6 into existing Windows networks ........................... 19Deployment phases .................................................................................................... 20
Phase 1: IPv6 transition technologies ..................................................................... 20Phase 2: Native IPv6 .............................................................................................. 22
Intranet deployment by using ISATAP ....................................................................... 22ISATAP router ......................................................................................................... 23Resolving the ISATAP name .................................................................................. 24Using the Netsh interface ipv6 isatap set router command .................................... 25
Internet deployment by using 6to4 ............................................................................. 25ISATAP and 6to4 example...................................................................................... 29IPv4 NAT traversal using Teredo ............................................................................ 32
-
8/14/2019 Tcpip Vista
2/55
Network address translation (NAT) devices ........................................................... 34Teredo components ................................................................................................ 38Teredo addresses ................................................................................................... 39
Communicating by using a Teredo address ........................................................... 42
DNS infrastructure ...................................................................................................... 43Address resource records ....................................................................................... 43Pointer resource records......................................................................................... 44Address selection rules ........................................................................................... 44
PortProxy .................................................................................................................... 45Vista TCP/IP performance tuning .................................................................................. 46
Receive Side Scaling ................................................................................................. 49TCP Chimney Offload ................................................................................................ 50Receive Window Auto-Tuning .................................................................................... 50
How Receive Window Auto-Tuning worked in Windows XP and Server 2003 ...... 50How Receive Window Auto-Tuning works in Windows Vista ................................. 51Compound TCP .......................................................................................................... 51
Explicit Congestion Notification .............................................................................. 51TCP bandwidth control and capacity planning with QoS............................................... 52
Scenario: Regulating Bandwidth Consumption .......................................................... 53Pre-deployment planning ........................................................................................ 54Deploying GPO for TCP receive-side window ........................................................ 54Post-deployment in domain .................................................................................... 55
-
8/14/2019 Tcpip Vista
3/55
3
Windows Vista TCP/IP Networking andIPv6 Migration.Cover
Windows Vista TCP/IP Networking and IPv6MigrationMicrosoft Corporation
Published: 02/2007
Author: Corey Plett
Editor: Scott Somohano
Windows Vista TCP/IP Networking andIPv6 Migration.Copy
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
-
8/14/2019 Tcpip Vista
4/55
4
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
2005 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows NT, Windows Server, and Active Directory are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
All other trademarks are property of their respective owners.
Windows Vista TCP/IP Networking andIPv6 Migration
Windows Vista includes networking and TCP/IP performance enhancements that can
prove valuable to the efficiency and future growth of corporate networks and the Internet.
Windows Vista TCP/IP responds more intelligently and automatically to network
conditions than previous versions of Windows. Some of these enhancements might
appear to create problems for network administrators. For example, TCP/IP performance
features can monopolize available network bandwidth at the expense of computers
running previous versions of Windows. Unlike Windows XP, Windows Vista has fewer
restrictions on the amount of TCP/IP traffic it can receive, and it automatically tunes itself
for best performance. Thus it can cause bandwidth usage spikes not previously
associated with Windows. Another potential problem for network administrators is the
possibility that their networks will have additional traffic generated by IPv6 and its
associated transition technologies, such as ISATAP and 6to4.
Microsoft believes that the benefits of new features and behavior in Windows Vista
TCP/IP far outweigh the potential for negative impact on your network, and that with theproper understanding and deployment of these features, your organization can realize
the benefits of Windows Vista TCP/IP without experiencing any negative impact to your
network.
-
8/14/2019 Tcpip Vista
5/55
5
Note
For an overview of Windows Vista networking advancements, seeEnterprise
Networking with Windows Vistaon the Microsoft Web site athttp://go.microsoft.com/fwlink/?LinkID=71544.
New TCP/IP architecture in Windows VistaInternet Protocol version 6 (IPv6) in Windows XP and Windows Server 2003
implemented a dual stack architecture. IPv6 support required installation of a separate
protocol by using the Network Connections folder. The separate IPv6 protocol stack had
its own Transport layer that included Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP), and its own Framing layer.
The newly reengineered version of TCP/IP in Windows Vista, supports a dual IP layerarchitecture in which the IPv4 and IPv6 implementations share common Transport and
Framing layers. Windows Vista TCP/IP has both IPv4 and IPv6 enabled by default.
There is no need to install a separate component to obtain IPv6 support.
Combining the transport and framing layers in the new dual layer TCP/IP architecture
provides for efficiencies and functionality not available in previous versions of Microsoft
Windows:
The Transport layer contains the implementations of TCP and UDP, and a
mechanism to send raw IP packets that do not need a TCP or UDP header.
The Network layer contains implementations of both IPv4 and IPv6 in a dual IP layer
architecture.
The Framing layer contains modules that frame IPv4 or IPv6 packets. Modules exist
for physical networking technologies such as IEEE 802.3 (Ethernet), IEEE 802.11,
and wide area networks (Point-to-Point Protocol [PPP]-based traffic). Modules also
exist for logical interfaces such as the loopback interface, IPv4-based tunnels, and
IPv6-based tunnels. IPv4-based tunnels are commonly used for IPv6 transition
technologies.
IPv6 enabled by default
In Windows Vista, IPv6 is installed and enabled by default. The Internet ProtocolVersion 6 (TCP/IPv6) component can be configured in the Properties of a connection in
Network Connections. To access Network Connections, click Start, and then right-
click Network. In the Network and Sharing Center, click Manage Network
Connections.
http://go.microsoft.com/fwlink/?LinkID=71544http://go.microsoft.com/fwlink/?LinkID=71544http://go.microsoft.com/fwlink/?LinkID=71544http://go.microsoft.com/fwlink/?LinkID=71544http://go.microsoft.com/fwlink/?LinkID=71544http://go.microsoft.com/fwlink/?LinkID=71544http://go.microsoft.com/fwlink/?LinkID=71544 -
8/14/2019 Tcpip Vista
6/55
6
When both IPv4 and IPv6 are enabled, Windows Vista TCP/IP prefers IPv6. For example,
if the results of Domain Name System (DNS) Name Query Response messages contain
both IPv6 and IPv4 addresses, Windows Vista TCP/IP will attempt to communicate overIPv6 first, subject to the address selection rules that are defined in RFC 3484. The
preference of IPv6 over IPv4 offers IPv6-enabled applications better network connectivity
because IPv6 connections can use IPv6 transition technologies such as Teredo, which
allow peer or server applications to operate behind network address translation (NAT)
devices without requiring NAT configuration or application modification.
IPv6 configurationIPv6 can automatically configure itself, even without the use of a configuration protocol
such as Dynamic Host Configuration Protocol for IPv6 (DHCPv6). All IPv6 nodes
automatically configure a link-local address with the address prefix fe80::/64 for each
physical or logical IPv6 interface. Link-local addresses can only be used to reach
neighboring nodes, they are not registered in Domain Name System (DNS), and might
require a zone ID when specifying a destination link-local address.
Additional IPv6 addresses and other configuration parameters for more useful IPv6
connectivity can be configured either automatically or manually.
Automatic configuration
Beyond the link-local address, an IPv6 host (an IPv6 node that is not a router) uses
stateless address autoconfiguration with IPv6 router discovery.
Using stateless address autoconfiguration, an IPv6 host sends a multicast Router
Solicitation message and receives one or more Router Advertisement messages. The
Router Advertisement messages contain subnet prefixes (from which the IPv6 host
determines additional IPv6 addresses and adds routes to the IPv6 routing table) and
other configuration parameters such as a default gateway.
Manual configuration
Typical IPv6 hosts do not need to be manually configured. IPv6 routers do need to be
manually configured for IPv6 addresses and routing behavior. You can manually
configure IPv6 addresses and other parameters in Windows Vista by using the following
methods.
-
8/14/2019 Tcpip Vista
7/55
7
The properties of the Internet Protocol version 6 (TCP/IPv6)component
Windows Vista allows the ability to configure IPv6 settings from the Windows graphical
user interface. Just as you can configure IPv4 settings by using the properties of the
Internet Protocol Version 4 (TCP/IPv4) component in the Network Connections folder,
you can now configure IPv6 settings by using the properties of the Internet Protocol
Version 6 (TCP/IPv6) component. The set of dialog boxes for IPv6 configuration are very
similar to corresponding dialog boxes for IPv4.
Commands in the Netsh interface ipv6 context
Just like Windows XP, you can configure IPv6 settings for Windows Vista from the
interface ipv6 context of the Netsh.exe tool.
Turning off IPv6
In addition to being enabled by default in Windows Vista, IPv6 cannot be uninstalled. The
benefits of using IPv6 outweigh the amount of extra traffic that might be generated by
using IPv4 and IPv6 at the same time. The transition from IPv4 to IPv6 can be more
easily made by using the IPv6 transition technologies provided with Windows Vista.
Although you can turn off IPv6 on a per connection basis, you will lose the following
benefits by doing so:
IPv6 is used by Windows Meeting Space (a Windows Vista application) to
automatically discover systems that are nearby. Because Windows Meeting Space is
an IPv6-only application, turning off IPv6 makes Windows Meeting Space unusable.
More applications, over time, will support and benefit from IPv6, so network users will
automatically gain those benefits.
Users and staff will start to learn what IPv6 is.
Broadcasts have been replaced by multicast in IPv6. In many instances where a
broadcast was used in IPv4 (for example, ARP), the corresponding IPv6 mechanism
(in this case Neighbor Discovery) uses multicast. This means that when neighbors on
the same link wish to discover each others Layer 2 addresses, in almost all cases,
only the two endpoints involved in the discovery process will see the traffic.
Clients using IPv6 autoconfiguration or DHCPv6 (available in Windows Server
Code Name "Longhorn") to obtain dynamic addresses also use multicast to talk to
their local router. BOOTP is not used in IPv6, thus producing no broadcasts.
-
8/14/2019 Tcpip Vista
8/55
-
8/14/2019 Tcpip Vista
9/55
9
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parame
ters.
3. Right-click Parameters, click New, and then click DWORD (32-bit) Value.
4. Type DisabledComponents in Name, right click DisabledComponents and then
click Modify.
5. In Value Data, type the hexidecimal value associated with the IPv6 component you
want to disable (see the table below for values).
6. Restart your computer.
Note
DisabledComponents is set to 0 by default.
The value of the DisabledComponents registry entry is a bit mask that controls thefollowing series of flags, starting with the low order bit (Bit 0):
Bit 0. Set to 1 to disable all IPv6 tunnel interfaces, including ISATAP, 6to4, and
Teredo tunnels. Default value is 0.
Bit 1. Set to 1 to disable all 6to4-based tunnel interfaces. Default value is 0.
Bit 2. Set to 1 to disable all ISATAP-based tunnel interfaces. Default value is 0.
Bit 3. Set to 1 to disable all Teredo-based tunnel interfaces. Default value is 0.
Bit 4. Set to 1 to disable IPv6 overall non-tunnel interfaces, including LAN interfaces
and PPP-based interfaces. Default value is 0.
Bit 5. Set to 1 to modify the default prefix policy table to prefer IPv4 to IPv6 when
attempting connections. Default value is 0. For more information about the prefix
policy table, seeSource and Destination Address Selection for IPv6at
http://go.microsoft.com/fwlink/?LinkId=82439.
To determine the value of DisabledComponents for a specific set of bits, construct a
binary number consisting of the bits and their values in their correct position and convert
the resulting number to hexadecimal. For example, if you want to disable 6to4 interfaces,
disable Teredo interfaces, and prefer IPv4 to IPv6, you would construct the following
binary number: 101010. When converted to hexadecimal, the value of
DisabledComponents is 0x2A.
The following table lists some common configuration combinations and the corresponding
value of DisabledComponents.
http://go.microsoft.com/fwlink/?LinkId=82439http://go.microsoft.com/fwlink/?LinkId=82439http://go.microsoft.com/fwlink/?LinkId=82439http://go.microsoft.com/fwlink/?LinkId=82439 -
8/14/2019 Tcpip Vista
10/55
10
Configuration combination DisabledComponents value
Disable all tunnel interfaces 0x1
Disable 6to4 0x2
Disable ISATAP 0x4
Disable Teredo 0x8
Disable Teredo and 6to4 0xA
Disable all LAN and PPP interfaces 0x10
Disable all LAN, PPP, and tunnel
interfaces
0x11
Prefer IPv4 over IPv6 0x20
Disable IPv6 overall interfaces and prefer
IPv4 to IPv6
0xFF
Important
You must restart your computer for changes to DisabledComponents registry
value to take effect.
Configuring IPv6 by using the properties of Internet
Protocol version 6 (TCP/IPv6)
To manually configure IPv6 settings through the Windows graphical user interface, use
the following procedure.
To configure IPv6 settings by using the graphical user interface
1. In Network Connections, right-click the connection or adapter for which you
want to manually configure IPv6, and then click Properties.
2. On the Configure tab for the properties of the connection or adapter, double-
click Internet Protocol Version 6 (TCP/IP) in the list under This connection
uses the following items.
Windows Vista displays the Internet Protocol Version 6 (TCP/IPv6) Properties
dialog box.
-
8/14/2019 Tcpip Vista
11/55
11
General tab
A network connection can use IPv6 autoconfiguration to dynamically assign itself a non-
link-local address, or it can obtain an IPv6 address from a DHCPv6 server.
Alternatively, a network connection can use a manually specified IPv6 address (also
known as a static IPv6 address). If you select this option, you must specify an IP address
in IPv6 address. You must also specify a subnet prefix length and a default gateway.
The default prefix length (unless specified otherwise) is 64.
When you select Obtain an IPv6 address automatically, IPv6 autoconfiguration is
enabled. A Windows Vista network connection uses router discovery to determine
additional addresses and default gateways. An advertising router can specify that the
network connection must use DHCPv6 to obtain more IPv6 addresses, but it is not
required by default.
Note
Although Windows Vista supports DHCPv6 as a client, Windows Server 2003
does not support DHCPv6 as a server. DHCPv6 server support is available in
Windows Server "Longhorn".
When you select Use the following IPv6 address, IPv6 autoconfiguration is still
enabled, but static IPv6 addresses are assigned in addition to the auto-configured IPv6
addresses.
To configure IPv6 for dynamic addressing (default)
On the General tab of the IPv6 Properties dialog box, click Obtain an IPv6
address automatically, and then click OK.
This procedure is only required if a static IPv6 configuration was previously used.
By default, computers running Windows operating systems attempt to obtain IP
configuration automatically. In this context, DNS is included as part of IP
configuration.
To configure IPv6 for static addressing
1. On the General tab of the IPv6 Properties dialog box, click Use the following
IPv6 address, and then do one of the following:
For a local area connection, in IPv6 address, Subnet prefix length, and
Default gateway, type the IPv6 address, subnet prefix length, and default
gateway address.
For all other connections, in IPv6 address, type the IPv6 address.
-
8/14/2019 Tcpip Vista
12/55
12
2. Click Use the following DNS server addresses.
3. In Preferred DNS server and Alternate DNS server, type the IPv6 adresses for
the primary and secondary DNS servers.
To configure advanced static IPv6 address settings for a local area connection, click
Advanced.
Advanced TCP/IP Settings
On the General tab, you can click Advanced to access the Advanced TCP/IP Settings
dialog box.
This dialog box is very similar to the Advanced TCP/IP Settings dialog box for the
Internet Protocol Version 4 (TCP/IPv4) component except that there is no WINS tab
(IPv6 does not use NetBIOS and the Windows Internet Name Service [WINS]) or
Options tab (TCP/IP filtering is only defined for IPv4 traffic). For IPv6, the Advanced
TCP/IP Settings dialog box has IP Settings and DNS tabs.
Note
You can use the settings on this tab for this network connection only if you are
not using the Obtain an IPv6 address automatically on the General tab.
IP Settings tab
The IP Settings tab is used to configure your computer's IP address and default gateway
settings. Following is a description of each setting that can be specified on this tab:
IP addresses lists additional Internet Protocol version 6 (IPv6) addresses that can be
assigned to the specified network connection. There is no limit to the number of IP
addresses that can be configured. This setting is useful if this computer connects to a
single physical network but requires advanced IP addressing because of either of the
following reasons:
A single logical IP subnet is in use and this computer needs to use more than
one IP address to communicate on that subnet.
Multiple logical IP subnets are in use and this computer needs a different IP
address to communicate with each of the different logical IP subnets.
Default gateways lists IP addresses for additional default gateways that can be used
by this network connection. A default gateway is an IP router that is used to forward
packets to destinations beyond the local subnet.
-
8/14/2019 Tcpip Vista
13/55
13
Automatic metric specifies whether TCP/IP automatically calculates an interface
metric that is based on the speed of the interface. The highest-speed interface has
the lowest interface metric.
Interface metric provides a location for you to type a value for the interface metric
for this network connection. A lower value for the interface metric indicates a higher
priority for use of this interface. The default value is 5.
To configure additional IP addresses for this connection
1. In IP addresses, click Add.
2. Type an IP address in IP address.
3. Type a subnet prefix length in Subnet prefix length, and then click Add.
4. Repeat steps 1 through 3 for each IP address you want to add, and then clickOK.
To configure additional default gateways for this connection
1. On the IP Settings tab, in Default gateways, click Add.
2. In the Default gateways dialog box, type the IP address of the default gateway
in Gateway. To manually configure a default route metric, clear the Automatic
metric check box, and then type a metric in Metric.
3. Click Add.
4. Repeat steps 1 through 3 for each default gateway you want to add, and thenclick OK.
To configure a custom metric for this connection
On the IP settings tab, clear the Automatic metric check box, and then type a
metric value in Interface metric.
DNS tab
The DNS tab is used to configure how your computer obtains and uses DNS server
addresses. Following is an explanation of each of the parameters that can be specified in
this tab:
DNS server addresses, in order of use lists the DNS servers by IP address that
this computer queries to resolve DNS domain names used on this computer. DNS
-
8/14/2019 Tcpip Vista
14/55
14
servers are queried in the order in which they are listed. The local setting is used only
if the associated Group Policy is disabled or unspecified.
Append primary and connection specific DNS suffixes specifies that resolution
for unqualified DNS names that are used on this computer are limited to the domain
suffixes of the primary suffix and all connection-specific suffixes. Connection-specific
suffixes are configured in DNS suffix for this connection. The primary DNS suffix is
configured by clicking Properties on the Computer Name tab (available in System in
Control Panel). The local setting is used only if the associated Group Policy is
disabled or unspecified.
For example, if your primary DNS suffix is dev.wcoast.microsoft.com and you type
ping xyz at a command prompt, the computer queries for
xyz.dev.wcoast.microsoft.com. If you also configure a connection-specific domain
name on one of your connections for bldg23.dev.wcoast.microsoft.com, the computerqueries for xyz.dev.wcoast.microsoft.com and xyz.bldg23.dev.wcoast.microsoft.com.
Append these DNS suffixes (in order) lists the DNS suffixes to search in the order
listed.
DNS suffix for this connection provides a space for you to specify a DNS suffix for
this connection. If a DHCP server configures this connection and you do not specify a
DNS suffix, a DNS suffix is assigned to this connection by the DHCP server. If you
specify a DNS suffix, the DNS suffix assigned by the DHCP server is ignored. The
local setting is used only if the associated Group Policy is disabled or unspecified.
Register this connection's addresses in DNS specifies that the computer attempt
dynamic registration of the IP addresses (by using DNS) of this connection with thefull computer name of this computer, as specified on the Computer Name tab
(available in System in Control Panel). The local setting is used only if the associated
Group Policy is disabled or unspecified.
Use this connection's DNS suffix in DNS registration specifies whether DNS
dynamic update is used to register the IP addresses and the connection-specific DNS
name of this connection. The connection-specific DNS name of this connection is the
concatenation of the computer name (which is the first label of the full computer
name) and the DNS suffix of this connection. The full computer name is specified on
the Computer Name tab (available in System in Control Panel). If the Register this
connection's addresses in DNS check box is selected, this registration is in
addition to the DNS registration of the full computer name. The local setting is used
only if the associated Group Policy is disabled or unspecified.
-
8/14/2019 Tcpip Vista
15/55
15
To configure an additional DNS server IP address
1. On the DNS tab, under DNS server addresses, in order of use, click Add.
2. In DNS server, type the IP address of the DNS server, and then click Add.
To modify the resolution behavior for unqualified DNS names
To resolve an unqualified name by appending the primary DNS suffix and the
DNS suffix of each connection (if configured), click Append primary and
connection specific DNS suffixes. If you also want to search the parent
suffixes of the primary DNS suffix up to the second level domain, select the
Append parent suffixes of the primary DNS suffix check box.
To resolve an unqualified name by appending the DNS suffixes from a list of
configured DNS suffixes, click Append these DNS suffixes (in order), and thenclick Add to add suffixes to the list.
To configure a connection-specific DNS suffix, type the DNS suffix in DNS suffix
for this connection.
To modify DNS dynamic update behavior
To use a DNS dynamic update to register the IP addresses of this connection
and the primary domain name of the computer, select the Register this
connection's addresses in DNS check box. This setting is enabled by default.
The primary domain name of the computer is the primary DNS suffix appended
to the computer name and can be viewed as the full computer name on theComputer Name tab (available in System in Control Panel).
To use a DNS dynamic update to register the IP addresses and the connection-
specific domain name of this connection, select the Use this connection's DNS
suffix in DNS registration check box. This setting is disabled by default. The
connection-specific domain name of this connection is the DNS suffix for this
connection appended to the computer name.
Configuring IPv6 manually with Netsh.exe
As in Windows XP, you can configure IPv6 addresses and other configuration
parameters at the command line using commands in the Netsh interface ipv6 context. All
of the parameters described in the previous section "Configuring IPv6 by using the
properties of Internet Protocol version 6 (TCP/IPv6)," can also be performed at the
command line with Netsh.exe.
-
8/14/2019 Tcpip Vista
16/55
16
You can run these commands at the command prompt for the netsh interface ipv6
context. For these commands to work at the command prompt in Windows Vista, you
must type netsh interface ipv6 before typing commands and parameters as they appearin the following syntax.
To view help for a command at the command prompt, type CommandName/?, where
CommandNameis the name of the command.
Configuring IPv6 addresses
To configure IPv6 addresses, you can use the netsh interface ipv6 add address
command by using the following syntax:
add address
Adds an IPv6 address to a specified interface. Time values can be expressed in days (d),
hours (h), minutes (m), and seconds (s). For example, 2d represents two days.
Syntax
add address [[interface=]String] [address=]IPv6Address[[type=]{unicast | anycast}]
[[validlifetime=]{Integer| infinite}] [[preferredlifetime=]{Integer| infinite}]
[[store=]{active | persistent}]
Parameters
[[ interface=] String]
Specifies an interface name or index.
[ address=] IPv6Address
Required. Specifies the IPv6 address to add.
[[ type=]{ unicast| anycast}]
Specifies whether a unicast address or an anycast address is added. The
default is unicast.
[[ validlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the address is valid. The default value is
infinite.
[[ preferredlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the address is the preferred address. The
default value is infinite.
-
8/14/2019 Tcpip Vista
17/55
17
[[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next computer restart
(active) or is persistent. The default selection is persistent.
Examples
This example command adds the IPv6 address FE80::2 to the interface named
"Private."
add address "Private" FE80::2
This example command adds the IPv6 unicast address 2001:db8:290c:1291::1 on
the interface named "Local Area Connection" with infinite valid and preferred lifetimes
and makes the address persistent:
netsh interface ipv6 add address "Local Area Connection" 2001:db8:290c:1291::1
Adding default gateways
To configure a default gateway, you can use the netsh interface ipv6 add route
command and add a default route (::/0) by using the following syntax:
add route
Adds a route for a specified prefix. Time values can be expressed in days (d), hours (h),
minutes (m), and seconds (s). For example, 2d represents two days.
Syntax
add route [prefix=]IPv6Address/Integer[[interface=]String] [[nexthop=]IPv6Address]
[[siteprefixlength=]Integer] [[metric=]Integer] [[publish=]{no | yes | immortal}]
[[validlifetime=]{Integer| infinite}] [[preferredlifetime=]{Integer| infinite}]
[[store=]{active | persistent}]
Parameters
[ prefix=] IPv6Address/Integer
Required. Specifies the prefix for which to add a route. Integerspecifies the
prefix length.
[[ interface=] String]
Specifies an interface name or index.
[[ nexthop=] IPv6Address]
Specifies the gateway address, if the prefix is not on-link.
-
8/14/2019 Tcpip Vista
18/55
18
[[ siteprefixlength=] Integer]
Specifies the prefix length for the entire site, if the prefix is not on-link.
[[ metric=] Integer]
Specifies the route metric.
[[ publish=]{ no| yes| immortal}]
Specifies whether routes are advertised (yes), advertised with an infinite
lifetime (immortal), or not advertised (no) in route advertisements. The
default selection is no.
[[ validlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the route is valid. The default value is
infinite.
[[ preferredlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the route is preferred. The default value is
infinite.
[[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next computer restart
(active) or is persistent. The default selection is persistent.
Examples
This example command adds a route on the interface named "Internet" with a prefix of
3FFE:: and a prefix length of 16 bits (3FFE::/16). The nexthop value is FE80::1.
netsh interface ipv6 add route 3FFE::/16 "Internet" FE80::1
This example command adds a default route that uses the interface named "Local Area
Connection" with a next-hop address of fe80::2aa:ff:fe9a:21b8, you would use the
following command:
netsh interface ipv6 add route ::/0 "Local Area Connection" fe80::2aa:ff:fe9a:21b8
Adding DNS servers
To configure the IPv6 addresses of DNS servers, you can use the netsh interface ipv6
add dnsserver command by using the following syntax:
add dns
Adds a new DNS server IP address to the statically configured list of DNS servers for the
specified interface.
-
8/14/2019 Tcpip Vista
19/55
-
8/14/2019 Tcpip Vista
20/55
20
RFC 1752 defines the following transition criteria:
Existing IPv4 hosts can be upgraded at any time, independent of the upgrade of
other hosts or routers.
Hosts that use only IPv6 can be added at any time, without dependencies on other
hosts or routing infrastructure.
IPv4 hosts on which IPv6 is installed can continue to use their IPv4 addresses and do
not need additional addresses.
Little preparation is required to either upgrade IPv4 nodes to IPv6 or deploy new IPv6
nodes.
Deployment phases
The inherent lack of dependencies between IPv4 and IPv6 hosts, IPv4 routing
infrastructure, and IPv6 routing infrastructure requires several mechanisms that allow
seamless transition. You will use these technologies in phase 1 of your IPv6 deployment
to move IPv6 traffic over native IPv4 networks. In phase 2 of your IPv6 deployment, you
will turn off these technologies as your routing infrastructure and the Internet start to
support native IPv6.
Phase 1: IPv6 transition technologies
With the dwindling supply of IPv4 addresses and an expected proliferation of IPv6
applications, IPv6 is expected to eventually replace IPv4. With that transition in mind,Microsoft has made a concerted effort to provide the following IPv6 transition
technologies that will help to make the transition seamless and non-disruptive.
ISATAP and 6to4 provide standard mechanisms to automatically tunnel IPv6 traffic
across an existing IPv4 infrastructure.
ISATAP
ISATAP is a technology that assigns addresses, configures tunnels between hosts and
between routers and hosts, and provides unicast IPv6 connectivity between IPv6 hosts
across an IPv4 intranet. ISATAP is described in the RFC 4214. ISATAP hosts do not
require any manual configuration, and they create ISATAP addresses by using standard
mechanisms for address autoconfiguration.
ISATAP is useful when you have network infrastructure (such as routers, firewalls, and
load balancers) that dont support IPv6. Generally this is the case when IPv6 is being
enabled incrementally on your IPv4 network, instead of all at once.
-
8/14/2019 Tcpip Vista
21/55
21
In general ISATAP will allow for IPv6 communication over an IPv4 Intranet (no IPv6
routers). For example, if you have a typical corporate network with only IPv4 routers, yet
you have clients on different subnets using an application that requires IPv6 (for exampleWindows Meeting Space). In this case, ISATAP allows the IPv6 applications to
communicate over the IPv4 intranet. The IPv6 header and application payload are
tunneled in an IPv4 header to traverse the (IPv4 only) routers in the intranet.
ISATAP clients can also communicate with native IPv6 clients in a case where you have
IPv4-only subnets and IPv6-capable subnets. After your entire intranet infrastructure
supports IPv6, you will no longer need ISATAP.
IPv6/IPv4 hosts can use ISATAP to communicate on an IPv4-only network. ISATAP
addresses use the locally administered interface identifier ::0:5EFE:w.x.y.zwhere the
w.x.y.zportion is any public or private unicast IPv4 address.
The ISATAP interface identifier can be combined with any 64-bit prefix that is valid forIPv6 unicast addresses. This includes the link-local address prefix (FE80::/64) and global
prefixes (including 6to4 prefixes).
Like 6to4 addresses, ISATAP addresses contain embedded IPv4 addresses that are
used to determine the destination IPv4 addresses within the IPv4 header when ISATAP-
addressed IPv6 traffic is tunneled across an IPv4 network.
6to4
6to4 is a technology that assigns addresses and automatically configures tunnels
between routers to provide unicast IPv6 connectivity between IPv6 sites and hosts across
the IPv4 Internet.
In general, 6to4 routers are used to allow IPv6 clients to communicate with each other by
using IPv6 over the IPv4 Internet. 6to4 routers require a public IPv4 address.
Like ISATAP, the application data and IPv6 header are encapsulated in an IPv4 header
as it traverses the IPv4 Internet.
Teredo
Teredo provides IPv4 NAT Traversal capabilities by tunneling IPv6 over the top of
UDP/IPv4.
Note
For more information about IPv6 transition technologies, see "IPv6 Transition
Technologies" on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkID=67210.
http://go.microsoft.com/fwlink/?LinkID=67210http://go.microsoft.com/fwlink/?LinkID=67210http://go.microsoft.com/fwlink/?LinkID=67210http://go.microsoft.com/fwlink/?LinkID=67210http://go.microsoft.com/fwlink/?LinkID=67210http://go.microsoft.com/fwlink/?LinkID=67210http://go.microsoft.com/fwlink/?LinkID=67210 -
8/14/2019 Tcpip Vista
22/55
22
Phase 2: Native IPv6
As stated earlier, the ultimate goal of your IPv6 deployment should be native IPv6 in an
IPv6-only environment. Along with the IPv6 transition technologies provided by Microsoft,
support for both IPv4 and IPv6 native protocols are already built into most new hardware
routers. Your existing routers might already support IPv6 natively as well. As you plan
your IPv6 deployment, take an inventory of your existing network to determine which
components support IPv6 already, and make a plan to replace your old routing
infrastructure with native IPv6 routers and Layer 3 switches. In addition, start specifying
IPv6 support for all of your operational and management systems.
However, you do not need to upgrade your existing IPv4 network to get started with IPv6.
Windows Vista automatically detects the best IPv6 transition technology to use based on
the network it discovers.
Intranet deployment by using ISATAP
As mentioned previously, the IPv6 protocol for Windows Vista automatically configures
the link-local ISATAP address of FE80::5EFE:w.x.y.z on an ISATAP tunneling interface
for each IPv4 address that is assigned to the node. This link-local ISATAP address allows
two hosts to communicate over an IPv4 network by using each others link -local ISATAP
addresses.
For example, Host A is configured with the IPv4 address of 10.40.1.29, and Host B is
configured with the IPv4 address of 192.168.41.30. When the IPv6 protocol for
Windows Vista is started, Host A is automatically configured with the ISATAP address of
FE80::5EFE:10.40.1.29, and Host B is automatically configured with the ISATAP address
of FE80::5EFE:192.168.41.30.
When Host A sends IPv6 traffic to Host B by using the link-local ISATAP address of Host
B, the source and destination addresses for the IPv6 and IPv4 headers are as listed in
the following table.
Example Link-Local ISATAP Addresses
Field Value
IPv6 Source Address FE80::5EFE:10.40.1.29
IPv6 Destination Address FE80::5EFE:192.168.41.30
IPv4 Source Address 10.40.1.29
IPv4 Destination Address 192.168.41.30
-
8/14/2019 Tcpip Vista
23/55
23
To test connectivity, use the ping command. For example, Host A would use the following
command to ping Host B by using its link-local ISATAP address:
ping FE80::5EFE:192.168.41.30%7
Because the destination of the ping command is a link-local address, the %ZoneID portion
of the command specifies the interface index from which traffic is sent. In this case, %7
specifies interface 7, which is the interface index assigned to the ISATAP tunneling
interface on Host A. The ISATAP tunneling also uses the last 32 bits of the next-hop
address for the destination as the destination IPv4 address. The source IPv4 address is
based an IPv4 routing table lookup to determine the best IPv4 address to use as a
source to reach the destination.
ISATAP routerThe use of link-local ISATAP addresses allows IPv6/IPv4 hosts on the same logical
ISATAP subnet (an IPv4 network) to communicate with each other, but not with other
IPv6 addresses on other subnets. To communicate outside the logical ISATAP subnet
using ISATAP-derived global addresses, IPv6 hosts using ISATAP addresses must
tunnel their packets to an ISATAP router.
An ISATAP router is an IPv6 router that:
Forwards packets between ISATAP hosts on an IPv4 network and hosts on other
subnets.
The other subnets can be other IPv4 networks (such as a portion of an organization
network or the IPv4 Internet) or subnets in a native IPv6 routing domain (such as an
organizations IPv6 network or the IPv6 Internet).
Acts as a default router for ISATAP hosts.
Advertises address prefixes to identify the IPv4 network on which ISATAP hosts are
located. ISATAP hosts use the advertised address prefixes to configure global
ISATAP addresses.
When an ISATAP host receives a Router Advertisement message from an ISATAP router
that is advertising itself as a default router, a default route (::/0) is added using the
ISATAP tunneling with the next-hop address set to the link-local ISATAP address that
corresponds to the IPv4 subnet interface of the ISATAP router. When packets are sent tolocations outside the IPv4-only network, they are tunneled to the IPv4 address that
corresponds to the ISATAP routers interface on the IPv4 network. The ISATAP router
then forwards the IPv6 packet to the ISATAP host.
-
8/14/2019 Tcpip Vista
24/55
24
For the IPv6 protocol for Windows Vista, the configuration of the intranet IPv4 address of
the ISATAP router is obtained by using one of the following methods:
The resolution of the client name "ISATAP" to an IPv4 address.
The netsh interface ipv6 isatap set router command.
Resolving the ISATAP name
When the IPv6 protocol for Windows Vista starts, it attempts to resolve the name
ISATAP to an IPv4 address using normal TCP/IP name resolution techniques. These
techniques include the following:
1. Checking the local host name.
2. Checking the DNS client resolver cache, which includes the entries in the Hosts file.
This file is located in the %systemroot%\system32\drivers\etc folder.
3. Forming a fully qualified domain name and sending a DNS name query. For example,
if the computer running Windows Vista is a member of the example.microsoft.com
domain (and example.microsoft.com is the only domain name in the search list), the
computer sends a DNS query to resolve the name isatap.example.microsoft.com.
4. Converting the ISATAP name into the NetBIOS name ISATAP , and then
checking the NetBIOS name cache.
5. Sending a NetBIOS name query to the configured WINS servers.
6. Sending NetBIOS broadcasts.
7. Checking the Lmhosts file. This file is located in the
%systemroot%\system32\drivers\etc folder.
If the name is resolved, the host sends an IPv4-encapsulated Router Solicitation
message to the ISATAP router. The ISATAP router responds with an IPv4-encapsulated
unicast Router Advertisement message that contains prefixes to use for autoconfiguring
ISATAP-based addresses and, optionally, an indication that the router is a default router.
To ensure that at least one of these attempts is successful, you can do one of the
following:
If the ISATAP router is a computer running Windows Vista, name the computer
ISATAP, and it will automatically register the appropriate records in DNS and WINS.
Manually create an ISATAP address (A) resource record in the appropriate domain in
DNS. For example, create an A resource record for isatap.example.microsoft.com.
-
8/14/2019 Tcpip Vista
25/55
25
Manually create a static WINS record in WINS for the NetBIOS name ISATAP
.
Add the following entry to the Hosts file of the computers that need to resolve the
name ISATAP:
IPv4Address ISATAP
Add the following entry to the Lmhosts file of the computers that need to resolve the
name ISATAP:
IPv4Address ISATAP
Using the Netsh interface ipv6 isatap set router command
Although the automatic resolution of the ISATAP name is the recommended method for
configuring the IPv4 address of the ISATAP router, you can configure this address
manually by using the netsh interface ipv6 isatap set router command.
The syntax of this command is: netsh interface ipv6 isatap set router
AddressOrName, where AddressOrNameis the name or IPv4 address of the ISATAP
routers intranet interface. For example, if the ISATAP routers IPv4 address is
192.168.39.1, the command is: netsh interface ipv6 isatap set router 192.168.39.1.
After a host has been configured, it sends an IPv4-encapsulated Router Solicitation
message to the ISATAP router. The ISATAP router responds with an IPv4-encapsulated
unicast Router Advertisement message that contains prefixes to use for autoconfiguring
ISATAP-based addresses.
Internet deployment by using 6to4
6to4 uses the global address prefix 2002:WWXX:YYZZ::/48, in which WWXX:YYZZis the
colon-hexadecimal representation of a public IPv4 address (w.x.y.z) assigned to a site or
host. The full 6to4 address is 2002:WWXX:YYZZ:[Subnet ID]:[Interface ID]
RFC 3056 describes 6to4 in the following terms:
6to4 host
Any IPv6 host that is configured with at least one 6to4 address (a global address with the
2002::/16 prefix). 6to4 hosts do not require any manual configuration, and they create
6to4 addresses by using standard address autoconfiguration mechanisms.
6to4 router
An IPv6/IPv4 router that supports the use of a 6to4 tunnel interface and that is typically
used to forward 6to4-addressed traffic between the 6to4 hosts within a site and other
-
8/14/2019 Tcpip Vista
26/55
26
6to4 routers or 6to4 relays on an IPv4 internetwork, such as the Internet. 6to4 routers
require additional processing logic for proper encapsulation and decapsulation, and they
might require manual configuration.
6to4 relay
An IPv6/IPv4 router that forwards 6to4-addressed traffic between 6to4 routers on the
Internet and hosts on the IPv6 Internet.
Within a site, IPv6 routers advertise 2002:WWXX:YYZZ:[Subnet ID]::/64 prefixes so that
hosts can create an autoconfigured 6to4 address and so that 64-bit prefix routes are
used to deliver traffic between 6to4 hosts within the site. Hosts on individual subnets are
automatically configured with a 64-bit subnet route for direct delivery to neighbors and a
default route that has the next-hop address of the advertising router. All IPv6 traffic that
does not match a 64-bit prefix used by one of the subnets within the site is forwarded to a
6to4 router on the site border.
The 6to4 router on the site border has a 2002::/16 prefix that is used to forward traffic to
other 6to4 sites and a default route (::/0) that is used to forward traffic to a 6to4 relay.
In the example network described above, Host A and Host B can communicate with each
other because of a default route using the next-hop address of the 6to4 router in Site 1.
When Host A communicates with Host C in another site, Host A sends the traffic to the
6to4 router in Site 1 as IPv6 packets. The 6to4 router in Site 1, using the 6to4 tunnel
interface and the 2002::/16 prefix in its routing table, encapsulates the packet with an
IPv4 header and tunnels the packet to the 6to4 router in Site 2. When the 6to4 router in
Site 2 receives the packet, the router removes the IPv4 header and, using the 64-bit
prefix route in its routing table, forwards the IPv6 packet to Host C.
In this example, Host A (with the interface ID ID_A) resides on subnet 1 within Site 1,
which uses the public IPv4 address of 157.60.91.123. Host C (with the interface ID ID_C)
resides on subnet 2 within Site 2, which uses the public IPv4 address of 131.107.210.49.
When the 6to4 router in Site 1 sends the IPv4-encapsulated IPv6 packet to the 6to4
router in Site 2, the addresses in the IPv4 and IPv6 headers are as listed in the following
table.
Example 6to4 Addresses
Field Value
IPv6 Source Address 2002:9D3C:5B7B:1:[ID_A]
IPv6 Destination Address 2002:836B:D231:2:[ID_C]
IPv4 Source Address 157.60.91.123
-
8/14/2019 Tcpip Vista
27/55
27
Field Value
IPv4 Destination Address 131.107.210.49
The following types of communication are possible when 6to4 hosts, an IPv6 routing
infrastructure within a site, a 6to4 router at the site boundary, and a 6to4 relay are used:
A 6to4 host can communicate with another 6to4 host within the same site.
This type of communication is available with the IPv6 routing infrastructure, which
provides reachability to all hosts within the site.
A 6to4 host can communicate with 6to4 hosts in other sites across the IPv4 Internet.
This type of communication occurs when a 6to4 host forwards IPv6 traffic that is
destined to a 6to4 host in another site to the 6to4 router for the local site. The 6to4router for the local site tunnels the IPv6 traffic through the IPv4 Internet to the 6to4
router at the destination site. The 6to4 router at the destination site removes the IPv4
header and forwards the IPv6 packet to the appropriate 6to4 host by using the IPv6
routing infrastructure of the destination site.
A 6to4 host can communicate with hosts on the IPv6 Internet.
This type of communication occurs when a 6to4 host forwards IPv6 traffic that is
destined for an IPv6 Internet host to the 6to4 router for the local site. The 6to4 router
for the local site tunnels the IPv6 traffic to a 6to4 relay that is connected to both the
IPv4 Internet and the IPv6 Internet. The 6to4 relay removes the IPv4 header and
forwards the IPv6 packet to the appropriate IPv6 Internet host by using the routinginfrastructure of the IPv6 Internet.
All of these types of communication use IPv6 traffic without having to obtain either a
direct connection to the IPv6 Internet or an IPv6 global address prefix from an ISP.
Communicating by using a 6to4 address
The IPv6 protocol for Windows Vista contains a 6to4 component that supports 6to4 hosts
and 6to4 routers. If a public IPv4 address is assigned to an interface on the host and a
global prefix is not received in a router advertisement, the 6to4 component:
Configures 6to4 addresses on the 6to4 tunneling interface for all public IPv4
addresses that are assigned to interfaces on the computer.
Creates a 2002::/16 route that forwards all 6to4 traffic with the 6to4 tunneling
interface. All traffic forwarded by this host to 6to4 destinations is encapsulated with
an IPv4 header.
-
8/14/2019 Tcpip Vista
28/55
-
8/14/2019 Tcpip Vista
29/55
29
2002:836B:1759:5::/64 route for the local subnet and a default route with a next-hop
address of the link-local address of the private interface of the ICS computer. Private
hosts can communicate with each other on the same subnet using the2002:836B:1759:5::/64 route. For all other 6to4 sites or the IPv6 Internet, the IPv6
packets are forwarded to the ICS computer using the default route.
For traffic to other 6to4 sites, the ICS computer uses its 2002::/16 route and encapsulates
the IPv6 traffic with IPv4 headers and sends the packets across the IPv4 Internet to
another 6to4 router. For all other IPv6 traffic, the ICS computer uses its default route and
encapsulates the IPv6 traffic with IPv4 headers and sends the packets across the IPv4
Internet to a 6to4 relay.
Note
The 6to4 component does not perform network address translation on the IPv6
packets that it forwards. ICS translates network addresses for IPv4 packets being
forwarded to and from private hosts. The 6to4 component uses the ICS
configuration to determine the public IPv4 address and public interface on the
ICS computer.
ISATAP and 6to4 example
The following example describes two ISATAP hosts that are using 6to4 prefixes to
communicate across the Internet even though each site is using the 192.168.0.0/16
private address space internally.
In this configuration: ISATAP Host A automatically configures a link-local ISATAP address of
FE80::5EFE:192.168.12.9 on its ISATAP tunneling interface.
6to4 Router A automatically configures a link-local ISATAP address of
FE80::5EFE:192.168.204.1 on its ISATAP tunneling interface (facing Site A).
6to4 Router B automatically configures a link-local ISATAP address of
FE80::5EFE:192.168.39.1 on its ISATAP tunneling interface (facing Site B).
ISATAP Host B automatically configures a link-local ISATAP address of
FE80::5EFE:192.168.141.30 on its ISATAP tunneling interface.
ISATAP Host A can reach 6to4 Router A and all other hosts within Site A by using link-local ISATAP addresses. However, ISATAP Host A cannot reach any addresses outside
Site A. 6to4 Router A constructs the global prefix 2002:9D36:1:5::/64. (9D36:1 is the
colon-hexadecimal notation for 157.54.0.1 and 5 is the interface index of 6to4 Router As
intranet interface.) 6to4 Router A also advertises the prefix using a Router Advertisement
-
8/14/2019 Tcpip Vista
30/55
30
message on its intranet interface. However, ISATAP Host A is not on 6to4 Router As
subnet and will never create a global address based on this 6to4 prefix.
To configure ISATAP Host A to receive the router advertisement from 6to4 Router A, the
network administrator for Site A has configured 6to4 Router A as an ISATAP router. The
administrator has also added an A resource record to Site As DNS infrastructure so that
the name ISATAP is resolved to the IPv4 address of 192.168.204.1. Upon startup, the
IPv6 protocol on Host A resolves the ISATAP name and sends a Router Solicitation
message to the addresses listed in the following table.
Field Value
IPv6 Source Address FE80::5EFE:192.168.12.9
IPv6 Destination Address FF02::2IPv4 Source Address 192.168.12.9
IPv4 Destination Address 192.168.204.1
6to4 Router A receives the Router Solicitation message from ISATAP Host A and sends
back a unicast Router Advertisement message advertising itself as a default router with a
Prefix Information option to automatically configure IPv6 addresses using the prefix
2002:9D36:1:2::/64. (9D36:1 is the colon-hexadecimal notation for 157.54.0.1, and 2 is
the interface index of 6to4 Router As ISATAP tunneling interface.)
The Router Advertisement message is sent to the addresses listed in the following table.
Field Value
IPv6 Source Address FE80::5EFE:192.168.204.1
IPv6 Destination Address FE80::5EFE:192.168.12.9
IPv4 Source Address 192.168.204.1
IPv4 Destination Address 192.168.12.9
ISATAP Host A receives the Router Advertisement message and autoconfigures its own
address as 2002:9D36:1:2:0:5EFE:192.168.12.9. The host also configures a default route
(::/0) using the ISATAP tunneling interface (interface index 2) with the next-hop address
of FE80::5EFE:192.168.204.1 and a 2002:9D36:1:2::/64 route using the ISATAP
tunneling interface.
-
8/14/2019 Tcpip Vista
31/55
31
Similarly, 6to4 Router B is configured as an ISATAP router, and Site B has an
appropriate A resource record in its DNS infrastructure so that ISATAP Host B
autoconfigures its own address as 2002:836B:1:2:0:5EFE:192.168.141.30. (836B:1 is thecolon-hexadecimal notation for 131.107.0.1.) ISATAP Host B also configures a default
route (::/0) using the ISATAP tunneling interface (interface index 2) with the next-hop
address of FE80::5EFE:192.168.39.1 and a 2002:836B:1:2::/64 route using the ISATAP
tunneling interface.
ISATAP Host A can now send a packet to ISATAP B. Packet addressing comprises three
parts
Part 1: From ISATAP Host A to 6to4 Router A
ISATAP Host A sends the IPv6 packet by using the ::/0 route, which uses the ISATAP
tunneling interface. By using this route, the next-hop address for this packet is set to the
link-local ISATAP address of 6to4 Router A (FE80::5EFE:192.168.204.1).
Using the ISATAP tunneling interface, the packet is tunneled using IPv4 from the Host A
IPv4 intranet interface (192.168.12.9) to the embedded IPv4 address in the ISATAP next-
hop address (192.168.204.1). The resulting addresses are listed in the following table.
Field Value
IPv6 Source Address 2002:9D36:1:2:0:5EFE:192.168.12.9
IPv6 Destination Address 2002:836B:1:2:0:5EFE:192.168.141.30
IPv4 Source Address 192.168.12.9
IPv4 Destination Address 192.168.204.1
Part 2: From 6to4 Router A to 6to4 Router B
6to4 Router A receives the IPv4 packet and removes the IPv4 header. 6to4 Router A
then forwards the IPv6 packet with the 2002::/16 route that uses the 6to4 ISATAP
tunneling interface. The router, by using this route, ensures that the next-hop address for
this packet is set to the destination address (2002:836B:1:2:0:5EFE:192.168.141.30).
The packet is tunneled using IPv4 and the 6to4 ISATAP tunneling interface from the
address assigned to its Internet interface (157.54.0.1) of 6to4 Router A to the embedded
address in the 6to4 prefix (836B:1) of the next-hop address (131.107.0.1). The resulting
addresses are listed in the following table.
-
8/14/2019 Tcpip Vista
32/55
32
Field Value
IPv6 Source Address 2002:9D36:1:2:0:5EFE:192.168.12.9
IPv6 Destination Address 2002:836B:1:2:0:5EFE:192.168.141.30
IPv4 Source Address 157.54.0.1
IPv4 Destination Address 131.107.0.1
Part 3: From 6to4 Router B to ISATAP Host B
6to4 Router B receives the IPv4 packet and removes the IPv4 header. 6to4 Router B
then forwards the IPv6 packet by using the 2002:836B:1:2::/64 route that uses the
ISATAP ISATAP tunneling interface. The router, by using this route, ensures that the
next-hop address for this packet is set to the destination address
(2002:836B:1:2:0:5EFE:192.168.141.30).
Because the packet is forwarded by using ISATAP tunneling interface, the packet is
tunneled from the IPv4 intranet interface of 6to4 Router B (192.168.39.1) to the
embedded IPv4 address in the ISATAP IPv6 address (192.168.141.30) of Host B. 6to4
Router B sets the addresses in the forwarded packet as listed in the following table.
Field Value
IPv6 Source Address 2002:9D36:1:2:0:5EFE:192.168.12.9
IPv6 Destination Address 2002:836B:1:2:0:5EFE:192.168.141.30
IPv4 Source Address 192.168.39.1
IPv4 Destination Address 192.168.141.30
IPv4 NAT traversal using Teredo
Teredo, also known as IPv4 network address translation (NAT) traversal for IPv6, is an
IPv6 transition technology that is enabled but inactive in Windows Vista, and wont
activate unless there is an application or service that needs to use it. Teredo turns on in 2
cases:
1. An application attempts to connect to a remote Teredo address. The Teredo service
realizes it needs to start to allow communication to another Teredo peer. Teredo will
keep running for the duration that the application/service is trying to communicate
over Teredo, and then go back into an inactive state after a time-out (i.e. where
-
8/14/2019 Tcpip Vista
33/55
33
Teredo isnt running again). This would occur if you opened a web browser and put in
a URL that had a Teredo address in it.
2. An application/service that wants to listen for unsolicited traffic has a Windows
Firewall exception with the advanced Edge Traversal option set. The Teredo
service will start up, and stay running, as long as there is an application/service
listening which has a firewall exception using the Edge Traversal option. An example
of this is Windows Meeting Space. Windows Meeting Space sets the Edge Traversal
option, allowing it to receive incoming traffic over Teredo. Windows Messenger will
set the edge traversal option in future versions as well.
Note
You can turn off Teredo with policy on your edge firewall (block resolution to
teredo.ipv6.microsoft.com or block outbound UDP), or with the
DisabledComponents registry value.
Teredo provides address assignment and host-to-host automatic tunneling for unicast
IPv6 connectivity when IPv6/IPv4 hosts are located behind one or multiple IPv4 NAT
devices. To traverse IPv4 NAT devices, IPv6 packets are sent as IPv4-based User
Datagram Protocol (UDP) messages. This section provides an overview of Teredo
including Teredo addresses and packet structures and detailed explanations of how
communication is initiated between Teredo clients.
Teredo is an address assignment and automatic tunneling technology that provides
unicast IPv6 connectivity across the IPv4 Internet. 6to4 is a well -defined automatic
tunneling technology that also provides unicast IPv6 connectivity across the IPv4
Internet. However, 6to4 works best when a 6to4 router exists at the edge of the site. The6to4 router uses a public IPv4 address to construct the 6to4 prefix and acts as an IPv6
advertising and forwarding router. The 6to4 router encapsulates and decapsulates IPv6
traffic sent to and from site nodes.
6to4 relies on the configuration of a public IPv4 address and the implementation of 6to4
routing functionality in the edge device. Many small office/home office (SOHO)
configurations include an IPv4 NAT device. For more information about how network
address translation works, see Network address translation (NAT) devices later in this
section. In most NAT configurations, the device providing NAT functionality is not capable
of being a 6to4 router. Even if all NAT devices could support 6to4, some configurations
contain multiple levels of NATs. In these configurations, a 6to4-capable NAT device willnot work because it does not have a public IPv4 address.
Teredo addresses the lack of 6to4 functionality in modern-day NAT devices and multi-
layered NAT configurations by tunneling IPv6 packets between the hosts within the sites.
In contrast, 6to4 uses tunneling from the edge device. Tunneling between hosts presents
-
8/14/2019 Tcpip Vista
34/55
34
another issue for NAT devices: IPv4-encapsulated IPv6 packets are sent with the
Protocol field in the IPv4 header set to 41. Most NAT devices translate only TCP or UDP
traffic, and they must either be manually configured to translate other protocols or haveinstalled NAT editors that handle the translation. Because Protocol 41 translation is not a
common feature of NAT devices, IPv4-encapsulated IPv6 traffic will not traverse typical
NAT devices. Therefore, to allow IPv6 traffic to traverse one or multiple NAT devices, the
IPv6 packet is encapsulated as an IPv4 UDP message, containing both an IPv4 and a
UDP header. UDP messages can be translated universally by NAT devices and can
traverse multiple layers of NAT devices.
To summarize, Teredo is an IPv6/IPv4 transition technology that allows automatic IPv6
tunneling between hosts that are located across one or more IPv4 NAT devices. IPv6
traffic from Teredo hosts can traverse NAT devices because it is sent as IPv4 UDP
messages. If a NAT device supports UDP port translation, then the NAT device supports
Teredo. The exception is a symmetric NAT device. For more information, see Types of
NAT devices later in this section.
Teredo is designed as a last-resort transition technology for IPv6 connectivity and it is not
recommended as an enterprise solution because it creates traffic that may cause
performance issues with edge firewalls on networks with a large number of client
computers . If native IPv6, 6to4, or ISATAP connectivity is present, the host does not act
as a Teredo client. As more IPv4 NAT devices are upgraded to support 6to4 and IPv6
connectivity becomes ubiquitous, Teredo will be used less and less and eventually
eliminated.
Network address translation (NAT) devices
As defined in RFC 1631, a network address translation (NAT) device is an IPv4 router
that can translate the IP addresses and TCP/UDP port numbers of packets as it forwards
them between public and private networks. For example, consider a small business
network with multiple computers that connect to the Internet. Without a NAT device, this
business would need to obtain a public IP address for each computer on the network.
With a NAT device, however, the small business can use private addressing (as
described in RFC 1918) and then configure the NAT device to map its private addresses
to a single or to multiple public IP addresses.
NAT device is a common solution for the following combination of requirements:
The administrator wants to leverage a single connection over multiple computers,
rather than connecting each one to the Internet.
The administrator wants to use private addressing.
-
8/14/2019 Tcpip Vista
35/55
35
The administrator wants to allow access to Internet resources without having to
deploy a proxy server.
How network address translation works
NAT typically uses the following process:
1. When a client computer on the small business intranet connects to an Internet
resource, the TCP/IP protocol of the client creates an IP packet with the following
values set in the IP and TCP or UDP headers (bold text indicates the fields that are
affected by the NAT device):
Destination IP Address: IP address of the Internet resource
Source IP Address: Private IP address
Destination Port: TCP or UDP port of the Internet resource
Source Port: Source application TCP or UDP port
2. The source host or another router forwards this IP packet to the NAT device, which
translates -- or remaps-- the source IP address and TCP/UDP port numbers of the
outgoing packet to a public source IP address and TCP/UDP port number as follows:
Destination IP Address: IP address of the Internet resource
Source IP Address: ISP-allocated public address
Destination Port: TCP or UDP port of the Internet resource
Source Port: Remapped source application TCP or UDP port
3. The NAT device sends the remapped IP packet over the Internet. The responding
computer sends back a response to the NAT device. The response contains the
following addressing information:
Destination IP Address: ISP-allocated public address
Source IP Address: IP address of the Internet resource
Destination Port: Remapped source application TCP or UDP port
Source Port: TCP or UDP port of the Internet resource
4. When the NAT device maps and translates the destination IP address and TCP/UDP
port numbers back to the private IP address and original TCP/UDP port numbers,
and then forwards the packet to the intranet client with the following addressing
information:
Destination IP Address: Private IP address
-
8/14/2019 Tcpip Vista
36/55
36
Source IP Address: IP address of the Internet resource
Destination Port: Source application TCP or UDP port
Source Port: TCP or UDP port of the Internet resource
For example, a small business is using the 192.168.0.0/24 private network ID for its
intranet and has been allocated a single public IP address of 131.107.0.1 by its ISP.
When a user with the private address 192.168.0.99 on the small business intranet
connects to a Web server at the IP address 157.60.0.1, the users TCP/IP protocol
creates an IP packet with the following values set in the IP and TCP or UDP headers:
Destination IP Address: 157.60.0.1
Source IP Address: 192.168.0.99
Destination Port: 80
Source Port: 1025
The source host forwards this packet to the NAT device, which translates the addresses
of the outgoing packet as follows:
Destination IP Address: 157.60.0.1
Source IP Address: 131.107.0.1
Destination Port: 80
Source Port: 5000
The NAT device sends the remapped packet over the Internet. The Web server sends
back a response to the NAT device. The response contains the following addressing
information:
Destination IP Address: 131.107.0.1
Source IP Address: 157.60.0.1
Destination Port: 5000
Source Port: 80
When the NAT device maps and translates the addresses and forwards the packet to the
intranet client, the packet contains the following addressing information:
Destination IP Address: 192.168.0.99
Source IP Address: 157.60.0.1
Destination Port: 1025
Source Port: 80
-
8/14/2019 Tcpip Vista
37/55
37
The mappings for private to public traffic are stored in a NAT translation table, which can
contain two types of entries:
Dynamic mappings
Created when private network clients initiate communication. Dynamic mappings are
removed from the NAT translation table after a specified amount of time, unless
traffic that corresponds to the mapping refreshes it.
Static mappings
Configured manually so that communication that Internet clients initiate can be
mapped to specific private network addresses and ports. Static mappings are needed
when you want to make servers (for example, Web servers) or applications (for
example, games) on the private network available to computers that are connected to
the Internet. Static mappings are not automatically removed from the NAT translation
table.
The NAT device forwards traffic from the Internet to the private network only if the NAT
translation table contains an appropriate mapping. In this way, the NAT device provides
an incoming packet filtering function for computers that are connected to private network
segments. However, a NAT device should not be used in place of a fully featured firewall
for protection against malicious traffic from the Internet.
Types of NAT devices
NAT devices fall into the following types:
Cone NAT devices
A NAT device in which the NAT translation table entry stores a mapping between an
internal address and port number and an external address and port number. When
the NAT translation table entry is in place, inbound traffic to the external address and
port number from any source address and port number is translated.
Restricted NAT devices
A NAT device in which the NAT translation table entry stores a mapping between an
internal address and port number and an external address and port number, for
either specific source addresses or specific source address and port numbers. An
inbound packet from an unknown external address or port number is silently
discarded.
Symmetric NAT devices
-
8/14/2019 Tcpip Vista
38/55
38
A NAT device that maps the same internal address and port number to different
external addresses and ports, depending on the external destination address (for
outbound traffic).
Teredo, like all peer-to-peer (P2P) technologies, does not work well with symmetric
NAT devices. Computers behind symmetric NAT devices will not be able to
communicate with other computers behind symmetric, or port restricted NAT devices.
However, computers behind cone or simple address restricted NAT devices can
communicate with any other computer, regardless of NAT device type. Windows XP
did not support symmetric NAT devices with Teredo. Windows Vista supports limited
symmetric NAT communication. Teredo in Windows Vista can work between Teredo
clients if only one Teredo client is behind one or more symmetric NATs. Even so, the
best solution is to use a NAT device that also supports 6to4. This way your router can
handle the IPv6 transition technology work and Teredo will not be needed.
Teredo components
Following are the components of the Teredo infrastructure:
Teredo clients running Windows Vista
Teredo servers
Teredo relays
Teredo host-specific relays
Teredo clients running Windows Vista
A Teredo client is an IPv6/IPv4 node that supports a Teredo tunneling interface by which
packets are sent to either other Teredo clients or nodes on the IPv6 Internet (through a
Teredo relay). A Teredo client communicates with a Teredo server to obtain an address
prefix from which a Teredo-based IPv6 address is configured or to help initiate
communication with other Teredo clients or hosts on the IPv6 Internet.
Teredo servers
A Teredo server is an IPv6/IPv4 node that is connected to both the IPv4 Internet and the
IPv6 Internet and that supports a Teredo tunneling interface over which packets are
received. The general role of the Teredo server is to help configure addresses for Teredoclients and to facilitate the initial communication between Teredo clients and other
Teredo clients or between Teredo clients and IPv6-only hosts. The Teredo server listens
on UDP port 3544 for Teredo traffic.
-
8/14/2019 Tcpip Vista
39/55
39
Teredo relay
A Teredo relay is an IPv6/IPv4 router that can forward packets between Teredo clients on
the IPv4 Internet (using a Teredo tunneling interface) and IPv6-only hosts. In somecases, the Teredo relay interacts with a Teredo server to help it facilitate initial
communication between Teredo clients and IPv6-only hosts. The Teredo relay listens on
UDP port 3544 for Teredo traffic.
Communication between Teredo clients and IPv6 hosts that are configured with global
addresses must go through a Teredo relay. This is required for IPv6-only hosts
connected to the IPv6 Internet. However, when the IPv6 host enabled for both IPv6 and
IPv4 and connected to both the IPv4 Internet and IPv6 Internet, then communication
should occur between the Teredo client and the IPv6 host over the IPv4 Internet, rather
than having to traverse the IPv6 Internet and go through a Teredo relay.
Teredo host-specific relay
A Teredo host-specific relay is an IPv6/IPv4 node that has an interface and connectivity
to both the IPv4 Internet and the IPv6 Internet and that can communicate directly with
Teredo clients over the IPv4 Internet, without the need for an intermediate Teredo relay.
The connectivity to the IPv4 Internet can be by using a public IPv4 address or by using a
private IPv4 address and a neighboring NAT device. Connectivity to the IPv6 Internet can
be made by using a direct connection to the IPv6 Internet or by using an IPv6 transition
technology such as 6to4, where IPv6 packets are tunneled across the IPv4 Internet. The
Teredo host-specific relay listens on UDP port 3544 for Teredo traffic.
Teredo addresses
A Teredo address consists of the following:
Teredo prefix
The first 32 bits are for the Teredo prefix, which is the same for all Teredo addresses.
The 3FFE:831F::/32 prefix was initially used for the Windows XP implementation of
Teredo. The address space of 2001::/32 has been reserved for Teredo by IANA in
RFC 4380 and is the prefix used by Teredo in Windows Vista. Computers running
Windows XP will use the new 2001::/32 prefix when updated withMicrosoft Security
Bulletin MS06-064at http://go.microsoft.com/fwlink/?LinkId=82440.
Teredo server IPv4 address
The next 32 bits contain the IPv4 public address of the Teredo server that helped
configure this Teredo address.
Flags
http://go.microsoft.com/fwlink/?LinkId=82440http://go.microsoft.com/fwlink/?LinkId=82440http://go.microsoft.com/fwlink/?LinkId=82440http://go.microsoft.com/fwlink/?LinkId=82440http://go.microsoft.com/fwlink/?LinkId=82440http://go.microsoft.com/fwlink/?LinkId=82440http://go.microsoft.com/fwlink/?LinkId=82440 -
8/14/2019 Tcpip Vista
40/55
40
The next 16 bits for are reserved for Teredo flags. The only defined flag is the high-
order bit known as the Cone flag. The Cone flag is set when the NAT device that is
connected to the Internet is a cone NAT device. The determination of whether theNAT device that is connected to the Internet is a cone NAT device occurs during the
initial configuration of a Teredo client.
For Windows Vista-based Teredo clients, unused bits within the Flags field provide a
level of protection from address scans by malicious users. The 16 bits within the
Flags field for Windows Vista-based Teredo clients consists of the following:
CRAAAAUG AAAAAAAA. The C bit is for the Cone flag. The R bit is reserved for
future use. The U bit is for the Universal/Local flag (set to 0). The G bit is
Individual/Group flag (set to 0). The A bits are set to a 12-bit randomly generated
number. By using a random number for the A bits, a malicious user that has
determined the rest of the Teredo address by capturing the initial configuration
exchange of packets between the Teredo client and Teredo server will have to try up
to 4,096 (212
) different addresses to determine a Teredo client's address during an
address scan.Obscured external port
The next 16 bits store an obscured version of the external UDP port that corresponds
to all Teredo traffic for this Teredo client. When the Teredo client sends its initial
packet to a Teredo server, the source UDP port of the packet is mapped by the NAT
device to a different, external UDP port. The Teredo client maintains this port
mapping so that it remains in the NAT devices translation table. Therefore, all
Teredo traffic for the host uses the same external, mapped UDP port. The Teredo
server determines the external UDP port from the source UDP port of the incoming
initial packet that the Teredo client sent, and the Teredo server sends the portinformation back to the Teredo client.
The external port is obscured by XORing the external port with 0xFFFF. For example,
the obscured version of external port 5000 in hexadecimal format is EC77 (5000 =
0x1388, 0x1388 XOR 0xFFFF = 0xEC77). Obscuring the external port prevents NAT
devices from translating the external port within the payload of the packets that they
are forwarding.
Obscured external address
The last 32 bits store an obscured version of the external IPv4 address that
corresponds to all Teredo traffic for this Teredo cl ient. Just like the external port,
when the Teredo client sends its initial packet to a Teredo server, the source IP
address of the packet is mapped by the NAT device to a different, external (public)
address. The Teredo client maintains this address mapping so that it remains in the
NAT devices translation table. Therefore, all Teredo traffic for the host uses the
same external, mapped, public IPv4 address. The Teredo server determines the
-
8/14/2019 Tcpip Vista
41/55
41
external IPv4 address from the source IPv4 address of the incoming initial packet that
the Teredo client sent, and the Teredo server sends the address information back to
the Teredo client.
The external address is obscured by XORing the external address with 0xFFFFFFFF.
For example, the obscured version of the public IPv4 address 131.107.0.1 in colon-
hexadecimal format is 7C94:FFFE (131.107.0.1 = 0x836B0001, 0x836B0001 XOR
0xFFFFFFFF = 0x7C94FFFE). Obscuring the external address prevents NAT
devices from translating the external address within the payload of the packets that
they are forwarding.
For Teredo client A, the following are used to construct its Teredo address:
Its external address and port for its Teredo traffic are 157.60.0.1 and UDP port 4096.
Its Teredo server is at the public IPv4 address of 206.73.118.1.
It has determined that it is behind a cone NAT device.
Therefore, using the Teredo address format of
2001::ServerAddr:Flags:ObscExtPort:ObscExtAddr, the address for Teredo client A is
2001::CE49:7601:E866:EFFF:62C3:FFFE. This address is based on the following:
CE49:7601 is the colon-hexadecimal version of 206.73.118.1.
E866 is the Flags field in which the Cone flag is set to 1 (indicating that Teredo Client A is
located behind a cone NAT), the U and G flags are set to 0, and the remaining 12 bits are
set to a random sequence to help prevent external address scans.
EFFF is the obscured version of UDP port 4096 (0x1000).
62C3:FFFE is the obscured version of the external address 157.60.0.1.
For Teredo client B, the following are used to construct its Teredo address:
Its external address and port for its Teredo traffic are 131.107.0.1 and UDP port
8192.
Its Teredo server is at the public IPv4 address of 206.73.118.1.
It has determined that it is behind a restricted NAT device.
Therefore, using the Teredo address format of
2001:ServerAddr:Flags:ObscExtPort:ObscExtAddr, the address for Teredo client B is
2001::CE49:7601:2CAD:DFFF:7C94:FFFE. This address is based on the following:
CE49:7601 is the colon-hexadecimal version of 206.73.118.1.
2CAD is the Flags field in which the Cone flag is set to 0 (indicating that Teredo
Client B is located behind a restricted NAT), the U and G flags are set to 0, and the
-
8/14/2019 Tcpip Vista
42/55
42
remaining 12 bits are set to a random sequence to help prevent external address
scans.
DFFF is the obscured version of UDP port 8192 (0x2000).
7C94:FFFE is the obscu